A few days ago Kelly Shortridge, a product manager at SecurityScorecard detected some unexpected behavior on her PC, as a honeypot Canarytoken reported being accessed by Chrome.exe. That's not what you'd expect from a web browser normally, except for one thing -- Google did add some antivirus-y capabilities to its browser on Windows late last year as an enhancement to its Chrome Cleanup tool that can help reset hijacked settings. Google Chrome security lead Justin Schuh explained how the feature works and pointed to some documentation about it, and that was that -- until last night.
If you are hitting this issue and you want a fix right now then go to chrome://downloads in your browser, go to the menu in the top right, and select Clear All. That will clear Chrome's list of downloaded files so that it won't have any files to existence-check at startup. If you have a large list of downloaded files then this will improve startup time slightly.
It turns out the "AV scanning" wasn't that at all, and what it was doing could affect you right now. It turns out that Chrome is checking the integrity of downloaded files at startup, and a bug lead it to that particular folder. It relies on the Downloaded History list for this check, and if you have a lot of files in there, it could slow down your computer when you start Chrome. While the dev team is working to skip the check entirely in a future update, users worried about it can fix it by clearing their download history. Easy, right?
I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out @googlechrome quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn't a system dir, either, it's in \Documents\ pic.twitter.com/IQZPSVpkz7
— Kelly Shortridge (@swagitda_) March 29, 2018
Followed up with @swagitda_ and it turns out the log events weren't CCT scans. Chrome existence-checks (code below) previously downloaded files, but a bug moved the checks into the startup path. Clearing download history stops the checks. Bug filed here: https://t.co/gLNHJRSGq2 pic.twitter.com/r0aeVAsurr
— Justin Schuh 😑 (@justinschuh) April 6, 2018
Unwanted software protection
The Windows version of Chrome is able to detect and remove certain types of software that violate Google's Unwanted Software Policy. If left in your system, this software may perform unwanted actions, such as changing your Chrome settings without your approval. Chrome periodically scans your device to detect potentially unwanted software. In addition, if you have opted in to automatically report details of possible security incidents to Google, Chrome will report information about unwanted software, including relevant file metadata and system settings linked to the unwanted software found on your computer.
If you perform an unwanted software check on your computer from the Settings page, Chrome reports information about unwanted software and your system. System information includes metadata about programs installed or running on your system that could be associated with harmful software, such as: services and processes, scheduled tasks, system registry values commonly used by malicious software, Windows proxy settings, and software modules loaded into Chrome or the network stack. You can opt out of sharing this data by deselecting the checkbox next to "Report details to Google" before starting the scan.
If unwanted software is detected, Chrome will offer you an option to remove the software by using the Chrome Cleanup Tool. The Chrome Cleanup Tool also reports information about unwanted software and your system to Google, and again you can opt out of sharing this data by deselecting the checkbox next to "Report details to Google" before starting the cleanup.